lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <20251126214209.GA1697@quark>
Date: Wed, 26 Nov 2025 13:42:09 -0800
From: Eric Biggers <ebiggers@...nel.org>
To: "Elliott, Robert (Servers)" <elliott@....com>
Cc: "linux-crypto@...r.kernel.org" <linux-crypto@...r.kernel.org>,
	David Howells <dhowells@...hat.com>,
	Herbert Xu <herbert@...dor.apana.org.au>,
	Luis Chamberlain <mcgrof@...nel.org>,
	Petr Pavlu <petr.pavlu@...e.com>,
	Daniel Gomez <da.gomez@...nel.org>,
	Sami Tolvanen <samitolvanen@...gle.com>,
	"Jason A . Donenfeld" <Jason@...c4.com>,
	Ard Biesheuvel <ardb@...nel.org>,
	Stephan Mueller <smueller@...onox.de>,
	Lukas Wunner <lukas@...ner.de>,
	Ignat Korchagin <ignat@...udflare.com>,
	"keyrings@...r.kernel.org" <keyrings@...r.kernel.org>,
	"linux-modules@...r.kernel.org" <linux-modules@...r.kernel.org>,
	"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>
Subject: Re: [PATCH v2 1/2] lib/crypto: Add ML-DSA verification support

On Wed, Nov 26, 2025 at 09:29:10PM +0000, Elliott, Robert (Servers) wrote:
> 
> 
> > -----Original Message-----
> > From: Eric Biggers <ebiggers@...nel.org>
> > Subject: [PATCH v2 1/2] lib/crypto: Add ML-DSA verification support
> ...
> 
> > +++ b/lib/crypto/mldsa.c
> 
> > +} mldsa_parameter_sets[] = {
> > +	[MLDSA44] = {
> > +		.ctilde_len = 32,
> > +		.pk_len = MLDSA44_PUBLIC_KEY_SIZE,
> > +		.sig_len = MLDSA44_SIGNATURE_SIZE,
> > +	},
> > +	[MLDSA65] = {
> > +		.ctilde_len = 48,
> > +		.pk_len = MLDSA65_PUBLIC_KEY_SIZE,
> > +		.sig_len = MLDSA65_SIGNATURE_SIZE,
> > +	},
> > +	[MLDSA87] = {
> > +		.ctilde_len = 64,
> > +		.pk_len = MLDSA87_PUBLIC_KEY_SIZE,
> > +		.sig_len = MLDSA87_SIGNATURE_SIZE,
> > +	},
> ...
> > +	union {
> ...
> > +		/* The commitment hash.  Real length is params->ctilde_len */
> > +		u8 ctildeprime[64];
> > +	};
> ...
> > +	/* Recreate the challenge c from the signer's commitment hash. */
> > +	sample_in_ball(&ws->c, ctilde, params->ctilde_len, params->tau,
> > +		       &ws->shake);
> ...
> > +	/* Finish computing ctildeprime. */
> > +	shake_squeeze(&ws->shake, ws->ctildeprime, params->ctilde_len);
> ...
> > +	/* Verify that ctilde == ctildeprime. */
> > +	if (memcmp(ws->ctildeprime, ctilde, params->ctilde_len) != 0)
> > +		return -EKEYREJECTED;
> 
> Is there any way to ensure that each ctilde_len value is <= 64
> and <= the corresponding .sig_size value at compile time so there's
> no risk of overflowing any buffers?

Not at compile time, unless we do some fancy validation of each of the
three ctilde_len values against the max3() of the signature lengths
using macros.  It could be checked at runtime in a module_init function.
Seems pointless though, given that these parameters are fixed in the
ML-DSA specification.  The specification uses parameters that make sense
and are consistent with each other.

- Eric

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ